Home » Comunicat_Presa_09_10_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

09.10.2025

Sanction for infringing the GDPR

 

The National Supervisory Authority for Personal Data Processing, completed an investigation at the controller EON ENERGIE ROMANIA S.A. and found the infringement of the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation 2016/679.

For this deed, the controller was sanctioned with a fine of 126,797 lei, the equivalent of 25,000 euros.

The investigation was initiated following the transmission by the controller EON ENERGIE ROMANIA S.A. of a notification of a personal data breach, in accordance with the provisions of Article 33 of Regulation (EU) 679/2016.

Thus, the controller notified the fact that a series of categories of personal data of a significant number of data subjects, namely user accounts including e-mail addresses and passwords, had been accessed and exfiltrated in an unauthorized manner.

At the same time, during the investigation, it emerged that the controller had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, generated in particular, accidentally or unlawfully, by unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed.

This situation led to unauthorized access to personal data (email addresses and passwords) of a significant number of data subjects and generated a high risk of potential financial damage.

As such, the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679 were infringed.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letter d) of the GDPR, corrective measures were ordered against the controller, in order to implement mandatory multi-factor authentication for all users, including the implementation of other appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk presented by the processing of personal data carried out through the controller’s customer accounts.

 

Legal and Communication Department

A.N.S.P.D.C.P